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Abstract 


Currently, mobile devices are widely used in various walks of life. The Android operating system has the highest market 
share of the mobile devices operating system market. Android can be installed in physical mobile devices; however, Android 
mobile operating system emulators are also available. Users can install applications (APPs) in an emulator for convenient use 
without physical mobile devices. There are several message hiding APPs (e.g., Wickr) that provide end-to-end encryption and 
message self-destruction mechanisms. Criminals can use these message hiding APPs, with their anti-forensic features, to send 
secret messages. These message-hiding APPs, installed in an Android emulator to evade criminal investigation, make digital 
forensics very challenging. Investigators need to know how criminals install and use such emulators in physical devices, how 
criminals install and use message-hiding APPs in the emulator, and how messages can be. This study explores applications of 
digital forensic tools and forensic procedures to identify and analyze four message hiding APPs installed in emulators: Wickr, 
Surespot, Cyber Dust, and ChatSecure. The emulators used in the study are AMIDuOS, Andy, BlueStacks App Player, Droid4X, 
Genymotion, KOPLAYER, Memu, Nox App Player, Windroy, Xamarin Android Player, and YouWave Android. Their forensic 
signatures and application characteristic values are sorted and summarized for digital forensics, so that digital forensic personnel 


can refer to this digital forensic method when analyzing criminal evidence using an Android emulator. 


Keywords: mobile device forensics, Android emulator forensics, anti-forensics, message hiding application, message hiding, 


application forensics 


Introduction 


Android and iOS are presently the two most 
common mobile operating systems. According to the 
IDC 2015 Smartphone OS Market Share Report [1], 
Android has the largest market share at 81.2%, followed 
by iOS at 15.8%. The Android mobile operating system 
can be installed in physical mobile devices; however, 
Android emulators are available for users to install and 
use Android applications. 

The main function of an Android emulator is to 
simulate the software and hardware environment of an 
Android mobile device (e.g., mobile phone or tablet). 


Emulators are typically used to enable PC users to 
download and use applications (e.g., games) from 
the Google Play store. Android emulators include the 
complete Android architectures, including the Linux 
Kernel, Native Library, Dalvik VM, and Android 
application framework. 

In recent years, personal information leakage and 
other information security incidents have occurred with 
increasing frequency. Thus, demand for privacy protection 
is rising. In response, several real-time communication 
software vendors with the highest popularity and the 
largest user quantity have started providing end-to-end 
encryption. For example, the WhatsApp application 
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protects user content (e.g., text messages, photos, videos, 
group chats, and video chats) with end-to-end encryption. 
Only the sender and the recipient can read the encrypted 
messages. The Line instant communications application 
has an end-to-end encryption capability called “Letter 
Sealing”. It applies by default to all chat, voice and video 
calls. Because messages are compiled into messy code 
using encryption keys stored in the personal devices 
rather than on the server, any message that is intercepted 
cannot be decrypted and read. The message-hiding 
application Telegram became infamous after Islamic 
State (ISIS) terrorists used it to exchange messages about 
a terrorist attack in Paris on Friday 13 November 2015. 
It has an automatic message destruction function to 
reduce the risk of being monitored. Such an application 
can be used as an instrument of crime because of its 
strong privacy protections. ISIS has developed another 
encrypted communication application called "Alrawi," 
which increases the difficulty of spying on their terrorist 
activities by anti-terrorism units. The United States 
government has warned that criminals and extremists 
could use such communication encryption technology to 
hide their whereabouts. 

Suspects are likely to use Android emulators to 
install such message-hiding applications for criminal 
message transmission with the purpose of evading 
criminal investigation. Digital forensics practice 
personnel therefore need an in-depth discussion and 
study of how to analyze criminal cases that involve the 
use of new virtual mobile devices as instruments of 
crime. 


Experimental Materials and Methods 


Android Emulator Software 


In this study, an experiment was conducted on 
11 Android emulators. The Lollipop version of the 
AMIDuOS emulator was used as the research subject [2]. 
The Andy emulator can run on the Microsoft Windows 
operating system and the Apple OS X operating system. 
It has powerful functions, and it supports seamless 
synchronization between desktop and mobile devices [3]. 
The BlueStacks App Player is one of the earliest Android 
emulators in the market, and it is one of the most famous 
and most widely used emulators [4]. Droid4x, also 
known as the hippocampus-playing simulator, enables 
ARM applications to run on an x86 architecture, and 
it is compatible with more than 99 % of applications 


and games in the market [5]. The Genymotion Android 
Emulator claims to be the Android emulator software 
with the fastest starting speed, and it currently supports 
operating systems including Microsoft Windows, 
Apple OS X, and Linux, with the features of being 
easy to install and use [6]. The KOPLAYER emulator, 
developed by Kaopu Network Co., Ltd. in Fuzhou 
China, supports Intel and AMD CPUs [7]. The Memu 
emulator, developed by Microvirt Software Technology 
Co., Ltd. in Shanghai of mainland China, provides a 
multiple boot manager function like Droid4X [8]. The 
Nox App Player, an emulator developed by MoreTech 
Inc. in Beijing, China, emphasizes high performance 
and ultimate compatibility [9]. The Windroy emulator 
was developed by Beijing Windroy Technology Co., 
Ltd. in mainland China [10]. Xamarin Android Player, 
an emulator developed by the company Xamarin, can be 
installed on Microsoft Windows and Apple OS X. It is 
mainly intended for use by application developers [11]. 
YouWave Android, a commercial emulator developed 
by the company YouWave in California, United States, 
supports Android 5.1 Lollipop version [12]. This study 
also selected 11 types of common Android emulators in 
the market as experiment and analysis objects, including 
Andy v46.2.207, AmiDuos v3.1.30, BlueStacks App 
Player v2.0, Genymotion v2.6.0, Memu v2.6.5, Droid4X 
v0.10.3, KOPLAYER v1.3.14, Nox App Player v3.1, 
Windroy v2.9, Xamarin Android Player v0.6.5, and 
YouWave Android v5.7. In addition, this study selected 
four message-hiding applications for experiments and 
analysis, including Wickr v2.6.4.1, Surespot v65, Cyber 
Dust v2.6.4, and ChatSecure v 14.2.3. 


Message-Hiding Applications 

In this study, an experiment was performed using 
four message-hiding applications: Wickr v2.6.4.1, 
Surespot v65, Cyber Dust v2.6.4, and ChatSecure 
v14.2.3. Wickr v2.6.4.1 is a free end-to-end message- 
hiding application that can be used to send text, video, 
picture, and voice messages. It emphasizes security 
and anonymity, with no metadata for tracking. Surespot 
v65 is an end-to-end message-hiding application that 
provides a symmetric key encryption (256 bit AES- 
GCM) mechanism, and emphasizes a built-in security 
mechanism. It can be used to send any message, but only 
the recipient can read the contents. Cyber Dust v2.6.4 
is a message-hiding application that can automatically 
erase a message without leaving any evidence. All sent 
messages are deeply encrypted, cannot be accessed 


again, and cannot be read even by the developer. 
ChatSecure v14.2.3 is a message-hiding application that 
provides a powerful encryption mechanism and end- 
to-end authentication. The encryption methods used 
include XMPP with TLS for authorization control, OTG 
for end-to-end authentication, Tor for bypassing firewall 
restrictions, and SQLCipher for encrypting the locally 
stored dialogue records. 


Description of the Experimental Simulation 
Environment 

This study used the Microsoft Windows 7 operating 
system as the experimental environment. The system 
registry, system connection port monitoring, file change 
monitoring, AVD DDMS (Android Virtual Device Dalvik 
Debug Monitor Server), and integrated forensics and 
analysis were used to observe and record changes in files 
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after the Android emulators in this study were installed 
and run. 


Experimental Method Design 

The X-Ways Forensics comprehensively analyzed 
and recorded changes to the local file system and the 
virtual file system of the emulator. Regshot, Currports, 
FolderChangesView, and Disk Pulse also recorded and 
analyzed the local system registry, system connection 
ports, folders, and files. The experimental and 
observation results of the Android emulator file system 
and the message-hiding applications were recorded and 
analyzed by AVD DDMS and WireShark Android Logcat 
to find out the names and paths of files that needed to be 
preserved for forensics. Fig. 1 shows the forensic process 
and research method.The steps for testing an Android 
emulator are as follows: 
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Fig. 1 Digital forensics process for Android emulators. 
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1. Obtain the emulator to be examined forensically, and 
record its version. 

2. Start the Regshot app on the Windows device to take 
a snapshot of the registry. Then start the Currports, 
FolderChangesView, and Disk Pulse apps to enable 
their file monitoring functions. 

3. Install the executable file of the Android emulator 
on the local device and observe the file changes in 
FolderChangesView and Disk Pulse. 

4. After the installation is complete, disable the 
monitoring functions of FolderChanges View and 
Disk Pulse, and record the file and folder changes in 
a report file. 

5. Use the Regshot to take a second snapshot of the 
registry, use the comparison function to analyze the 
differences in the registry before and after software 
installation, and generate a report file. 

6. Analyze the report files generated in the previous 
two steps to sort and summarize important file 
information of the Android emulator, find data items 
for forensic signatures, and record them. 


The message-hiding APPs installed in the Android 
emulator were tested and observed to determine which 
files and paths might contain forensic information. 
During the installation and test of the wireless file 
transmission and message hiding APPs, X-Ways 
Forensics was used for comprehensive forensic analysis, 
and AVD DDMS was used to record and analyze file 
system changes in the Android emulator. 

The steps for testing an APP are as follows: 


1. Obtain the wireless file transmission and message- 
hiding APP to be examined, and record its version. 

2. Start the Logcat function of the AVD DDMS on the 
local device to monitor changes in the file system. 

3. Install the APK (Android application package) of the 
wireless file transmission and message-hiding APP on 
the local device, observe the file changes using AVD 
DDMS Logcat, and record the file and folder changes 
in a report file. 

4. Download the heap content (HPROF) of the 
wireless file transmission and message-hiding APP, 
respectively, before, during, and after running this 
APP, and analyze the file system and heap content. 


Results and Discussions 


Analysis of the installation paths and virtual file 
systems of Android emulators 


Each of the 11 emulators were installed and 


analyzed. Eight were installed in the locations C:\ 
Program Files\, C:\Program Files (x86)\, or C:\ 
ProgramData\ (three of them can alternatively be 
installed under a user account). Two were installed under 
a user account (C:\Users\{USER ACCOUNT}\). One 
was installed in the root directory of the system disk (C:\ 
KOPLAYER). According to analysis of the virtual file 
systems of the emulators, we found that seven of the 
emulators stored the virtual file under a user account 
(C:\Users\{USER ACCOUNT}\), two of them in the 
system installation path, and the remaining two in C:\ 
ProgramData\Emulator Program Name. 

We analyzed the virtual machine technologies, 
virtual disk types, and registry keys used by the Android 
emulators. The emulators in this study used one of 
three virtual machine technologies: VMware, Oracle 
VirtualBox, and self-developed LayerCake. They used 
one of five file configuration formats (virtual disk file 
types): VMware (VMDK), Oracle VirtualBox (VDI & 
VMDK), Oracle VirtualBox (VMDK), Oracle VirtualBox 
(VDI), and self-developed sparsefs. The emulators had 
different keys in the registry key path HKEY LOCAL | 
MACHINE\SOFTWARE\ for forensic personnel to track 
and examine. 


Analysis of the programs started by emulators, 
ports, and whether ADB Shell can be used 

When one of the Android emulators is run, it starts 
a specific program and port. These allow the emulator 
to receive and transmit information from and to the host 
system. The program started by each emulator is stored 
in the heap while the emulator is running. The test results 
show that the program started by each emulator might 
use a different port. By observing the running emulators 
through the AVD DDMS, we found of the 11 emulators, 
only KOPLAYER and YouWave Android did not connect 
to ADB Shell through the respective ports. The remaining 
nine emulators fetched the dynamically partitioned image 
file, RAM, and APP heap through ADB Shell. 


Analysis of Digital Evidence 

This study analyzed types of digital evidence 
generated by Android emulators. From the analysis 
results, we found that the file system might contain digital 
evidence such as files and folders, registry keys, program 
and network port information, and memory and logs. 
All of the emulators except KOPLAYER and YouWave 


Android fetched the APP heap information. Four of 
them, Andy, Genymotion, Nox App Player, and Xamarin 
Android Player, could directly fetch and examine the 
respective memory locations. The other seven required 
an importing program and an ADB connection to 
fetch from memory. The test result showed that the 
emulators, although using different virtual architectures 
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and virtual environments, allow investigators to obtain 
APP information using digital forensic procedures 
and methods. Therefore, digital evidence can still be 
effectively fetched from these Android emulators. Major 
forensic signatures for the emulators are summarized in 
Table 1. 


Table 1 Major forensic items for Android emulators. 


Whether 


Analysis on 
ADB Shell 


Type of 


Emulator Path to the Virtual File 


1 


4 


5 


Name 


AMIDuOS 


Andy 


BlueStacks 
App Player 


Droid4X 


Genymotion 


Emulator System Path 


C:\ProgramData\AMI\ 
DuOS\;C:\Users\ 
{USER 


C:\Users\{USER 
ACCOUNT}\AppData\ 
Roaming\Andy\ 


C:\Program Files (x86)\ 
BlueStacks 


C:\Program Files (x86)\ 
Droid4X 


C:\Users\{USER 
ACCOUNT} \AppData\ 
Local\Genymobile\ 
Genymotion 


Virtual 
System of the Emulator 


Disk File 


C:\ProgramData\AMI\ 
DuOS\imgs 


vdi 


C:\Users\{USER 
ACCOUNT}\AppData\ 
Roaming\Andy\ 
machines\af48496a- 
085f-4698-8d8a- 
4d6ce371c7a0(GUID)\ 
images 


vmdk 


C:\ProgramData\ 


. sparsefs 
BlueStacks\Android 


C:\Program Files (x86)\ 
Droid4X\VirtualBox 
VMs\droid4x\; 


vmdk 


C:\Users {USER 

ACCOUNT }\AppData\ 

Local\Genymobile\ 

vdi and 
vmdk 


Genymotion\deployed\ 
Mobile device name 
(ex: Samsung Galaxy 
Note 3 - 4.3 - API 18 - 
1080x1920) 


Registry Key Analysis 


HKEY CURRENT_ 
USER\Software\AMI\ 
DuOS\DuOS\;HKEY _ 
LOCAL_MACHINE\ 
SOFTWARE\ 
Microsoft\Windows\ 
CurrentVersion\Installer\ 
UserData 


HKEY_CURRENT_ 
USER \Software\ 
Andy\;HKEY_ 
LOCAL_MACHINE\ 
SOFTWARE\ 
Microsoft\Windows\ 
CurrentVersion\Uninstall\ 
Andy OS\ 


HKEY LOCAL 
MACHINE\ 
SOFTWARE\BlueStacks\ 


HKEY_LOCAL_ 
MACHINE\ 
SOFTWARE\ 
Wow6432Node\ 
Microsoft\Windows\ 
CurrentVersion\Uninstall\ 
Droid4X\ 


HKEY CURRENT 
USER\Software\ 
Genymobile\ 
Genymotion\; KEY _ 
LOCAL_MACHINE\ 
SOFTWARE\ 
Microsoft\Windows\ 
CurrentVersion\Uninstall\ 


Started Programs 
Can Be Used 


and Port 


and Ports 


DuOS.exe:3600; 


DuoVMHeadless. Yes: 21503 
exe: 10088 
And le. 
yC onos Yes: 5555 

exe 5905 
HD-Frontend. 

Yes: 5554 
exe:53306 
Droid4X.exe:59955 Yes: 26944 
Multiple ports such 

Yes: 5555 


as player.exe:56877 
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Emulator 


Emulator System Path 


Name 


6 KOPLAYER C:\KOPLAYER 
C:\Program Files\ 
7 Memu ; . 
Microvirt 
C:\Program Files\ 
Nox App Bignox\BigNoxVM;C:\ 
Player Users\ {user account} \. 
BigNox 
C:\Program Files (x86)\ 
Windroye;C:\Program 
Files\WindroyeBox;C:\ 
9 Windroy Users\{user account} \ 
AppData\Local\ 
VirtualStore\Program 
Files\WindroyeBox 
Xamarin D 
i C:\Program Files\ 
10 Android ; 
Xamarin Android Player 
Player 
í YouWave C:\Program Files (x86)\ 
Android YouWave Android 


| Type of 
Path to the Virtual File 


Virtual 
System of the Emulator | ___ 
Disk File 


C:\KOPLAYER\ 


vmdk 
deployed\KOPLAYER 


C:\Program Files\ 
Microvirt\MEmu\ 
MemuHyperv VMs\ 
MEmu 


C:\Users\ {user 
account}\AppData\ 
Roaming\Nox\bin\ 
BignoxVMS\nox\ 


C:\ProgramData\ 
Windroye\vdi;C:\ 
ProgramData\Windroye\ 
Windroye_4E513D9BC 
016A2AADA0CF6F642 
6390EB\ 


C:\Users\ 

{user account}\ 
AppData\Roaming\ 
XamarinAndroidPlayer\ 
VMStorageLibrary\ 
Nexus 5 (Lollipop) 


C:\Users\ {user 
account}\. Virtualbox\ 
HardDisks 


vdi 


Whether 
Analysis on 
ADB Shell 
Registry Key Analysis | Started Programs 
Can Be Used 
and Ports 
and Port 
HKEY_LOCAL_ 
MACHINE\ 
SOFTWARE\ KOPLAYER. N 
o 
Microsoft\Windows\ SOTT 
CurrentVersion\Uninstall\ 
KOPLAYER is1\ 
HKEY LOCAL A 
z ~ Multiple ports 
MACHINE\ 
such as MEmu. 
SOFTWARE\ 
exe:57385, 
Wow6432Node\ Yes: 21503 
. . 57387, 57391 and 
Microsoft\Windows\ 

: . MEmuHeadless. 

CurrentVersion\Uninstall\ 

exe:21500 
MEmu\ 
HKEY_LOCAL_ 
MACHINE\ 
SOFTWARE\ nox_adb. 
Microsoft\Windows\ exe:5037, 55504; 

3 ; Yes: 62001 
CurrentVersion\Uninstall NoxVMHandle. 
\0147813640F7AF69F56  exe:58001 
9581EE672B6BE1E7179 
8E\ 

HKEY LOCAL _ WindroyeBoxHD. 
MACHINE\ exe:22555; 
: Yes: 22515 
SOFTWARE\ Windroye. 
WindroyeBox\ exe:55795 
HKEY_LOCAL_ 
MACHINE\ 
SOFTWARE\ 
Microsoft\Windows\ f 
: AndroidPlayer. 
CurrentVersion\Installer\ Yes: 5555 
exe:49695 
UserData\S-1-5-18\Produ 
cts\21C5AD255AE2DB6 
4E8CB93588A3DFB32\ 
InstallProperties\ 
HKEY LOCAL _ 
MACHINE\ 
SOFTWARE\ . 
YouWave Android. 
Wow6432Node\ No 
p . exe:60500 
Microsoft\Windows\ 


CurrentVersion\Uninstall\ 
YouWave\ 
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As shown in Table 2, the Android emulators employ memory information, files, and folders. Table 2 also 


three types of virtual machine software technologies. shows whether X-Ways Forensics can fetch directly from 
Digital evidence retained by emulators in the local device emulator memory, and the path of the memory file. 


includes logs, temporary browser files, registry keys, 


Table 2 Digital evidence of Android emulators. 


Virtual Machine 
Software and 


Technology Employed 


Local Digital Trace 
Evidence Retained 


Can Emulator 
Memory Be 
Fetched Directly? 


Memory Location 


by Emulator 


C:\Users\MJIB\AppData\Roaming\ 


Logs 
i Audy VMware Browser temporary Yes Andy\machines\06ad203a-81 da- 
(VMDK) files 46f8-a582-1576 lde6c68b\images\*. 
Registry keys MERON, 
Eidienk Self-developed Memory 
ueStacks : ; 
2 LayerCake virtual information No N/A 
App Player technology Files and folders 
i C:\Users\{user account}\AppData\ 
Oracle VirtualBox : ’ 
3 G ti (VDI & VMDK) y Local\Genymobile\Genymotion\ 
eee = deployed\HTC One - 4.4.4 - API 19 
- 1080x1920\Snapshots\*.vmdk 
4 Droid4X No N/A 
5  KOPLAYER No N/A 
6 Memu Oracle VirtualBox Logs No N/A 
(VMDK) B ‘ 
Naw A arial, C:\Users\{user account}\AppData\ 
x es 
ad . Yes Roaming\Nox\bin\Bignox VMS \nox\ 
Player Registry keys 
Snapshots\*.vmdk 
Memory 
8 AMIDuOS information No N/A 
Fil d fold 
9 Windroy Singer eee No N/A 
x . C:\Users\{user account}\AppData\ 
n } 
eae Oracle VirtualBox Roaming\XamarinAndroidPlayer\ 
10 Android (VDI) Yes . 
Pi VMStorageLibrary\Nexus 5 
f 
aye (Lollipop)\Snapshots\*.vmdk 
YouW: 
o No N/A 
Android 


containing its internal memory. This folder consists of 


Analysis of the message-hiding APP Wickr 


When Wickr is installed, the emulator creates a 
folder named com.mywickr.wickr2 in the file system, 


five subfolders: app_sfs, databases, files, no_backup, 
and shared_prefs. The shared_prefs folder stores XML 
files containing some parameter settings of the APP. The 
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databases folder contains SQLite database files named 
wickr_db, and log files with the names starting with 
wickr_db-journal. These two types of files are encrypted, 
so SQLite database files cannot be opened or browsed 
by the SQLite database reader, and log files cannot be 
opened or accessed by common text editors. The files 
folder stores record files (with the file extension.wic) 
related to the chats with different contacts. All chat 
record files are encrypted using the SHA-256 algorithm. 
For each chat record, two .wic files are generated with 
almost identical names, for example, dacec2704dbdbbf 
£585cdd778a9cb47bbe24a5d583ee2f0d4705bd9e84fl f 
O8f.wic and dacec2704dbdbbff585cdd778a9cb47bbe24 
a5d583ee2f0d4705bd9e84f1 f08f2.wic. The second .wic 
file is generated empty, for reasons that are not clear. 
Under the files folder, there is also an encrypted file 
named keyFile, which is used to store external memory 
content of the emulator. Analysis of the APP's network 
connection shows that the APP performs account login 
and message transmission through the HTTPS (port 443) 
service, and exchanges messages through the secex.info 
(204.232.166.114) server. 


Analysis of the message-hiding APP Surespot 


After Surespot is installed, the emulator creates 
a folder named com.twofours.surespot in the file 
system of the internal memory. This folder consists of 
two subfolders: files and shared_prefs. The shared_ 
prefs folder stores XML files containing some of the 
APP’s parameter settings. The account information of 
the last user and the last contact can be found in the 
surespot_preferences.xml file. The files folder consists 
of three subfolders: identities, publicKeys, and state. 
The identities folder stores ssi files of a user account 
in GZIP format, with the file header 0x1F 8B 08. We 
used 7-ZIP to decompress the .ssi files, and attempted 
to parse their content, but we found that the file content 
was AES encrypted; therefore, we failed to retrieve any 
account information. Under the publicKeys folder are 
subfolders storing the account information of the users. 
The state folder stores the chat records in a file named 
messages_user account_contact account.sss and contact 
information in a file named friends.sss. All .sss files are 
stored in GZIP format. After the files were decompressed, 
we found that the file content was in JSON format, with 


multiple fields defined, with the following fields and 
their corresponding values: id, to, hashed, voicePlayed, 
shareable, iv, fromVersion, gcm, data, from, datetime, 
mimeType, and toVersion, and with the corresponding 
values stored. The iv and data fields were encrypted 
with AES-256. The datetime field contains the chat time 
stored in UNIX Numeric-Value format. The /data/com. 
twofours.surespot and surespot folders store external 
memory information of the emulator. Analysis of the 
APP's network connection information shows that the 
APP performs account login and message transmission 
through the HTTPS (port 443) service, and exchanges 
related messages through the server.surespot.me and 
appspot.I.google.com servers. 


Analysis of the message-hiding APP Cyber Dust 


When Cyber Dust is installed, the emulator creates 
a folder named com.radicalapps.cyberdust in the file 
system of the internal memory. This folder consists of 
five subfolders: cache, code_cache, databases, files, and 
shared_prefs. The shared_prefs folder stores XML files 
containing some parameter settings of the APP. Among 
these files, the MyPreferences.xml file is of the greatest 
importance. It contains user account name, device type, 
and token value encrypted by an private algorithm and 
encoded in base64. The databases folder stores SQLite 
database files named cyberdust.db and log files with the 
names starting with cyberdust.db-journal. The cyberdust. 
db file permits users to read its content, where the id, 
message_id, and date fields may help understand certain 
files of encrypted messages. The files folder contains 
some useful files for decrypting the messages transmitted 
by the APP, such as gaClientId, INSTALLATION, privat 
eKey.5715f8afe4b05bbb32a8099f, and publicKey.5715f8 
afe4b05bbb32a8099f. privateKey.5715f8afe4b05bbb32a 
8099f is the message ID used in this chat. The gaClientId 
and INSTALLATION files record UUIDs. No folder 
is created to store external memory information of the 
emulator. The analysis of the APP's network connection 
information shows that it performs account login and 
message transmission through the HTTPS (port 443) 
service and exchanges messages through the cyberdustl 
oadbalancerprod-1918061346.us-east-1.elb.amazonaws. 


com server. 


Analysis of the message-hiding APP ChatSecure 
After ChatSecure is installed, the emulator creates 
a folder named info.guardianproject.otr.app.im in the 
file system of the internal memory. This folder consists 
of four subfolders: app_KeyStore, databases, files, 
and shared_prefs. The shared_prefs folder stores XML 
files containing some parameter settings of the APP. 
Among these files, the account.xml file is of the greatest 
importance as it records the user’s account information. 
Under the databases folder, there is a database file 
imps.db consisting of 21 tables, of which the accounts, 
contacts, messages, and chats tables contribute the most 
to forensic examination. The accounts table contains 
the user's account and plaintext password information. 
The contacts table contains contact information. The 
messages and chats tables contain any messages that are 
not yet deleted. The files folder has an encrypted SQLite 
3 database file media.db and an APP debugging track file 
trail_properties. The track file records metadata that is 
useful for forensic examination, e.g., the APP start time 
and database start time. The /data/info.guardianproject. 


otr.app.im folder stores external memory information 
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of the emulator. The analysis of the APP's network 
connection information shows that the APP performs 
account login and message transmission through the 
XMPP service and exchanges related messages through 
the jabber.otr.im (port 5222) public server. 

As shown in Table 3, the four message-hiding 
APPs have three types of digital evidence for forensic 
examination: internal memory file system and external 
memory of the emulator, network connection analysis 
data, and emulator and APP heaps. The analysis of the 
internal memory file system for the emulator shows that 
Wickr, Cyber Dust, and ChatSecure generate SQLite 
database files in the program folder to store relevant 
information. According to analysis of the emulator 
and APP heap information while each of the APPs are 
running, secret messages sent and received by the user, 
and even the already deleted messages, are retained. If 
the user logs out of an APP account , does not close APP, 
most of the hidden messages in the APP heap are lost, 
while related messages can still be found in the emulator 


memory. 


Table 3 Major forensic items for message-hiding APPs. 


Any Folder 


File System of the 
Generated for the 


Process 


Internal Memo 
= External Memory 


Name 
for the Emulator 
of the Emulator? 


Network Connection 
Analysis Data 


Emulator and APP Heap 
Analysis 


Secret messages sent and 
received by the user and deleted 


Account login and message 


com.mywickr.wickr2 M B messages can be found in the 
: ; ansmission: secex. 
Wickr folder, Wickr.db, all No . emulator and APP heaps. Most 
; ; info(204.232.166.114:443) . 
wic files, and keyFile HTTPS f of the secret messages in the 
server; service f 
APP heap are lost if the user 
logs out of the APP. 
com.twofours. Secret messages sent and 
surespot folder, user Account login and message received by the user and deleted 
i The /data/com. ae : 
account.ssi, 1.spk, transmission: server. messages can be found in the 
: 4 twofours.surespot 
Surespot cookie.sss, friends. surespot.me and appspot. emulator and APP heaps. Most 


and surespot folders 
sss, and messages _ 

are generated. 
user account:contact 


l.google.com(443) servers; 
HTTPS service 


of the secret messages in the 
APP heap are lost if the user 


account.sss logs out of the APP. 
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Any Folder 


File Syst f th 
a NE Generated for the Network Connection Emulator and APP Heap 


Process 
Internal Memory 


Name 


External Memory Analysis Data Analysis 
of the Emulator? 


for the Emulator 


com.radicalapps. 
Secret messages sent and 
cyberdust folder, . ; 
Account login and message received by the user, and 
cyberdust.db, Web aR 
Data. privateKey.577 transmission: cyberdustload deleted messages, can be found 
ata, privateKey. ; 
Cyber Dust M6 3 07259 M 71 No balancerprod-1918061346. in the emulator and APP heaps. 
aef46e ae7lc 
8e0. and publicKev.5 us-east-1.elb.amazonaws. Most of the secret messages in 
e0, and publicKey. . . 
r 7 com(443); HTTPS service the APP heap are lost if the user 
T7aef46e4b07259ae7 
logs out of the APP. 
1c8e0 
info.guardianproject. 
$ Secret messages sent and 
otr.app.im folder, wedii d 
receive e user, an 
aped e Ae ins a, 2 
oe ed di ee Account login and message deleted messages, can be found 
is not encrypted, uardianproject. ena: : 
ChatSecure ; oe E : a . transmission: jabber.otr. in the emulator and APP heaps. 
plaintext messages otr.app.im folder is . A 
im(5222) Most of the secret messages in 
may be found), generated. 
; the APP heap are lost if the user 
media.db, Web Data, i tof the APP 
ogs out of the : 
and KeyStore.bks 8 
i transmitted. Therefore, the comparison of memory 
Conclusion 


content may help finding favorable forensic items and 


In this study, 11 Android emulators and four characteristic items. Message-hiding APPs that provide 


message-hiding APPs were tested to explore digital end-to-end message encryption and database encryption 


evidence retained on local devices. Therefore, this present a major challenge to digital forensic practice. 


study applied existing digital forensic procedures Further exploration is required to study and develop 


and methods to discover the emulator file structure forensic decryption technologies and methods for end-to- 


and file characteristic items in which digital evidence end encryption APPs. 

may be hidden on local devices. The results show that 
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